Supporting Tools for Designing-By-Contract in Component based Applications

Supporting Tools for Designing-By-Contract in Component based Applications Antonio Coronato 1, Antonio d Acierno 2, Diego D Ambrosio 3, and Giuseppe De Pietro 3 1 DRR-CNR, Via Castellino 111, 80131 Napoli, Italy coronato.a@ na.drr.cnr.it} 2 ISA-CNR, Via Roma, 52 Avellino, Italy dacierno.a@isa.cnr.it} 3 ICAR-CNR, Via Castellino 111, 80131 Napoli, Italy depietro.g@cps.na.cnr.it} Abstract. This paper deals with the modeling and the automatic implementation of constraints in component based applications. Constraints have been assuming an ever more relevant role in modeling distributed systems as long as business rules implementation, design-by-contract practice, and faulttolerance requirements are concerned. Nevertheless, component developers are not sufficiently supported by existing tools to model and implement such features. In this paper, we propose a set of tools that enable developers both to model component constraints and to automatically generate component skeletons that already implement such constraints. 1. Introduction In the last decade the nature of software systems has remarkably changed. In particular, the widespread diffusion of computer networks, as well as the constant growth of information systems responsibilities has led to new software architectures, no more single, huge, and strongly centralized systems, but highly-distributed ones. Software distribution has initially been realized by decomposing software systems in modules, which implemented specific functions. They were able to run on distinct computers and adopted the remote procedure call paradigm as basis communication mechanism. More recently, software distribution has taken place by implementing and releasing cooperating software artifacts called components. A software component is a software element that can independently be deployed and composed without modification to support enterprise business processes [1]. A key point for the success of component-based software development practice has just been the possibility of having a more efficient and a relative easier software reuse. The wide diffusion of component-based architectures as a distributed system paradigm has also been pushed up by the emerging of middleware technologies like CORBA, DCOM, and more recently Web Services, which offer several facilities for developing and deploying cooperating distributed objects over heterogeneus platforms.

2 Antonio Coronato, Antonio d Acierno, Diego D Ambrosio, and Giuseppe De Pietro In this work we focus on CORBA platforms. In particular, we are interested in developing new CORBA components applying a design-by-contract technique. The design-by-contract method, which was primarily proposed by Bertrand Meyer in [13], is now a well established tool for developing reliable software systems. Such a technique fundamentally relies on the simple and compelling idea of designing systems as a set of cooperating abstract boxes that achieve their common goal by verifying specified contracts. A contract establishes what each participant of a collaboration has to do in order to get the promised results [6]. Design-by-contract has recently been adopted by Cheesman and Daniels in their component-oriented modeling process [6]. Such a process specifies workflows and activities that a designer has to perform in order to get complete component specifications. A complete component specification includes i) the component interface; ii) the intercomponents collaborations; and iii) a set of contracts (constraints) as pre-conditions, post-conditions, and invariants that apply to the system components. To build new CORBA components, developers model component architecture via the Unified Modeling Language (UML) [4]. Then, they model components interfaces by using the standard Interface Definition Language (IDL) [11]. Next, such interfaces are compiled by idl compilers to obtain component skeletons. Component skeletons are empty components that already integrate inter-component communication mechanisms, but do not have business logic yet. Finally, developers fill the component skeletons by adding the component business logic. It is worth to note that UML enables designers to produce low-fidelity models to capture high-level system characteristics in the early design phase, as well as high-fidelity models to specify low-level system details in the late design phase. The fidelity is to be intended as the measure of the correspondence between the model and the final system [12]. However, several component characteristics, like relationships and constraints, which can be modeled via UML, are not automatically implemented into component skeletons. This happens because component skeletons are automatically generated by idl compilers, which process idl models, but IDL doesn t provide support for modeling such characteristics. Indeed, IDL was devised to model only interfaces. It doesn t have to deal with structural features. As a consequence, component skeletons do not keep any track of several structural characteristics although they have been specified in the UML models. We can conclude that the component skeletons fidelity is quite low, where we define the component skeleton fidelity as the measure of how close a component skeleton is to its final implementation. The target of this research activity is to provide tools able to automatically produce skeletons that already implement structural characteristics as invariants, preconditions, post-conditions, and guard conditions. This assures a higher degree of component skeleton fidelity. Moreover, this makes the implementation phase less time consuming and reduces development costs. In addition, it also reduces software faults by having reduced the manual programming impact. In this paper, in section 2 we briefly report some motivations and related work. In section 3 we describe the proposed tools. In particular, we present i) the Constraint Description Language (CDL), which is a modeling language derived from the standard OCL [3]; ii) the Component Constraint Generator (CoCoGen), which is a tool able to process textual CDL constraint models and to automatically implement such constraints in enhanced component skeletons; and iii) the Component Constraint

Supporting Tools for Designing-By-Contract in Component based Applications 3 Modeler (CoCoMod), which is a visual UML-based modeling tool for specifying component interfaces and constraints; it is also able to automatically generate both IDL and CDL models. Sections 4 deals with a case study and presents the developing process. Section 5 concludes the paper and reports some directions for future work. 2. Motivations and related work Modeling and implementation of constraints is a need for designers and developers. We have already cited the design-by-contract technique and its application in the component development process proposed by Cheesman and Daniels. There are others developing processes that use contracts in component based applications. Catalysis is just a further example [7]. However, contracts are used also in other specific activities. Indeed, designers can effectively model enterprise business rules as constraints [2]. In [19], a process for implementing collaborations among distributed components is proposed; such a process relies on the use of constraints. In [18], a technique for isolating faults is presented; this technique requires the insertion of contracts in the source code. Faults are isolated into the bundle of executed software instructions grouped by the last verified contract, and the first violated one. Several examples of programming languages and tools, which offer facilities to support constraints, are described in literature. Eiffel [5] and Turing [16] are two relevant, constraint-oriented, programming languages. In [14], the Annotation PreProcessor (APP) tool for C programs is presented. In such a case, invariant conditions, pre-conditions, and post-conditions are formalized as comment lines directly in the source code; then, such comment lines are processed by a precompiler tool that translates the specified constraints into source code. The same approach is followed in [20] for the Java programming language. However, an important limit for existing tools, in our opinion, is that constraints have to be specified directly in the source code, so that the specification of constraints can take place only in the late implementation phase. Such considerations can make easily understandable the need of having methodologies, processes, and tools able to support designers and developers who are willing of taking care of software constraints and logic assertions, possibly already in the design phase and without concerning about the implementation details. Unfortunately, current CORBA platforms do not provide any support for that as clearly denounced in [15]. In this paper, we describe an integrated set of tools able to assist designers both in modeling contracts in CORBA components and to automatically generate the proper source code. However, we do not define any new programming language, but we provide a visual UML-based environment for specifying component interfaces and constraints. Finally, it s worth to note that we have extended the typologies of constraints. In particular, our tools enable to specify guard conditions and some intercomponent relationships as constraints. For all such constraints, facilities that automatically generate the equivalent source code are provided.

4 Antonio Coronato, Antonio d Acierno, Diego D Ambrosio, and Giuseppe De Pietro 3. The proposed tools High level tools architecture is shown in figure 1. Designers use CoCoMod for producing UML models of components that describes both interfaces and constraints. CoCoMod automatically generates textual IDL and CDL models. Next, from CoCoMod, designers can run the regular idl compiler and successively the CoCoGen tool that realizes enhanced component skeletons. CDL Models CoCoMod Tool CoCoGen Tool enhanced skeletons IDL Models idl compiler regular skeletons Figure 1 - High level architectural view The Constraint Description Language The modeling language that we defined to formalize constraints is the Constraint Description Language (CDL). This is basically derived from the standard OCL and slightly adapted to component architecture features. The original idea was to adopt the OCL as is but, from one hand, we experienced that only a subset of OCL expressions can automatically be implemented by generation tools. Indeed, being OCL a declarative language, for some kinds of logical expressions it s really hard to define generic implementation patterns. From one another hand, we have found useful to provide support for modeling guard conditions, which enables designers to specify some kinds of business rule, and for intercomponents relationships, which are not supported by the standard IDL. The current version of OCL doesn t provide direct support for that, whereas the forthcoming version will take guard conditions into account as reported in the last RfP. We have also found useful to have mechanisms for specifying state changes or forcing the execution of operations one a condition is satisfied. This facility cannot be supported by OCL that is defined to be a side-effect free language. These considerations have suggested the introduction of a new language, the CDL, which has been thought to be as close as possible to OCL; i.e. CDL syntax is almost the same of OCL one, as well as general properties, but CDL has also been specially devised to provide support for the automatic implementation of constraints in component based applications.

Supporting Tools for Designing-By-Contract in Component based Applications 5 CDL (as well as OCL) is a formal language that remains easy to read and write because it doesn t rely on particularly complex mathematical constructs. It is not a programming language; therefore, it is not possible to write program logic. As OCL, it is a typed language, so that each expression has a type and, to be well formed, a CDL expression must conform to the type conformance rules of the language. Finally, as a specification language, all implementation issues are out of scope and cannot be expressed in CDL, but it enables designers to produce textual models, which can easily be processed by automatic tools to generate source code. A brief description of CDL and OCL keywords is reported in table 1. The keywords supported by OCL and not supported by CDL indicates the characteristics that can not be automatically implemented by the current version of the tools described in the next sections. It is worth to note that constraints are still specified via a declarative approach. This enables designers to model rules by abstracting away from any implementation choice. By this way, designers continue to work without concerning about implementation details. Keyword Description OCL Context This keyword indicates the class or the operation to which the rule is referred to INV This keyword indicates an invariant condition PRE This keyword indicates a pre condition POST This keyword indicates a post condition GUARD This keyword indicates a guard waiting for a condition ASSOCIATION This keyword indicates an association between two classes TOWARD This keyword indicates the end point of an association AGGREGATION This keyword indicates an aggregation between two classes AGGREGATE This keyword indicates what are the aggregated object in an aggregation AGGREGATEDTO This keyword indicates what is the aggregated object in an aggregation COMPOSITION This keyword indicates a composition between two classes COMPOSE This keyword indicates what is the composed object in a composition COMPOSED This keyword indicates what are the composing objects in a composition MULTIPLICITY This keyword indicates the multiplicity of a relation SELF This keyword indicates the current instance of a class EXECUTE This keyword indicates an operation to execute @PRE This keyword indicates the previous value of a variable Table 1 - The CDL Language keywords The Component Constraint Generator CoCoGen is a generation tool that processes CDL textual models and then enhances the component skeletons generated by a regular IDL compiler. The tool is dependent from the target platform, i.e. a specific CORBA platform needs a specific constraint generator. Currently, CoCoGen supports two CORBA platforms: CORBA

6 Antonio Coronato, Antonio d Acierno, Diego D Ambrosio, and Giuseppe De Pietro TAO [9], which is an open CORBA platform of the Washington University; and the Java CORBA ORB [8], which is a free CORBA compliant platform distributed with the J2SE environment. CoCoGen architecture is shown in figure 2. It consists of the following main elements: Coordinator This is the main thread that coordinates the processing phases; Parser This module is in charge of analyzing CDL models and generating constraints data structures; Processor This component implements constraints in the target component skeleton; Scheduler This module coordinates the implementation of constraints, which needs proper nesting operations in the component skeletons. It is worth to note that the Processor is the only component which is platform specific. In other words, each CORBA platform requires a specific Processor. CoCoGen operates in two phases. During the first phase, the Parser analyzes the input CDL models and then builds some data structures that are used during the second phase by the Scheduler. The Scheduler drives the Implementer, which executes specific implementation patterns depending on the type of the constraint. Coordinator activetasks () : void Parser - filename findconstraints () : ConstraintListManager 1 managed_by * managed ConstraintListManager addinvariant (Constraint br) : void addguard (Constraint br) : void addprecondition (Constraint br) : void addpostconditoin (Constraint br) : void Scheduler schedule (ConstraintListManager lismgr) : int Processor ConstraintList - numberofelemenent : int addbusinessrule (Constraint br) : void readbusinessrule () : Constraint implementinv (Constraint br, NewSkeleton skeleton) : int implementpre (Constraint br, NewSkeleton skeleton) : int implementpost (Constraint br, NewSkeleton skeleton) : int implementguard (Constraint br, NewSkeleton skeleton) : int - - - context condition type Constraint setcontext (java.lang.string context) getcontext () settype (java.lang.string type) gettype () setcondition (java.lang.string condition) getcondition () : void : void : void NewSkeleton newskeleton (java.lang.string filename) read () write (java.lang.string string) save (java.lang.string filename) : void : void : int Figure 2 CoCoGen architecture

Supporting Tools for Designing-By-Contract in Component based Applications 7 The Component Constraint Modeler CoCoMod is a visual environment that enables designers to model both component interfaces and constraints. Interfaces are modeled as UML classes, whereas constraints are inserted as properties of the corresponding interface and expressed in CDL. From these graphical models, CoCoMod generates both IDL interface models and CDL constraint models. These textual models are platform independent. After that, from this tool, the developer can invoke the execution of a platform specific idl compiler. Two choices are currently available, tao_idl and idlj for the two distinct supported platforms (CORBA TAO and Java CORBA ORB). This step generates the regular component skeletons for the selected CORBA platform. Next, the designer invokes the execution of the CoCoGen tool that processes the CDL models so far generated, and then inserts in the regular component skeletons the proper source code for implementing constraints. The result consists of a set of enhanced component skeletons that already implement constraints. Figure 3 shows some functionalities of the CoCoMod tool. In particular, figure 3.a presents the workspace panel, from which designers can create project modules (packages) and interfaces. Figure 3.b shows the property panel for an interface. From this panel, it is possible to add not only interface operations and attributes, but also constraints as invariants, pre-conditions, post-conditions, and guards. (a) Figure 3 CoCoMod functionalities (b)

8 Antonio Coronato, Antonio d Acierno, Diego D Ambrosio, and Giuseppe De Pietro 4. Case study This section presents a simple case study in order to show an application of the proposed tools. We focus on a system that must offer cataloguing and exposing functions for relics owned by an archeological museum. Relics are classified by age, epoch, style, and type. A cataloguing card, which includes technical descriptions and pictures, is associated to each relic. Relics are also periodically verified in order to establish whether to restore them or not. Verifications, as well as restorations, are performed in specialized laboratories. Any time a relic is restored or verified, a verification timeout is set to establish how long to wait before having the next verification. Such a timeout must always range between maximum and minimum values (suppose 6 months and 24 months respectively) established for relics classes by generic criteria. Museums can lend/borrow relics to/from other museums in order to organize special events. Relics can be lent only if they are available (not on verification/restoration). Likewise, relics can be verified/restored only if the verification timeout is expired and they have not been lent (they are currently available) to other museums. In the following, the development activities are described. Modeling the system As shown in figure 3.a, three new components are designed: Relic, Museum, CataloguingCard. Relic is the component containing relic objects, which are owned by a museum. CataloguingCard stores information about the associated relic and its operations of verification, restoration, and lending. A relic can be in the following state: Verifying The relic is on verification in order to be restored Restoration The relic is on restoration Lending The relic has been lent Available The relic is available in the museum It has also been supposed to have a background procedure that periodically checks the verification timeouts and sets the toverify attribute when the timeout has expired. The next_verification attribute of CatalougingCard realizes the verification timeout, which memorizes the number of months to wait for the next verification. We can assume the following business rules and constraints: Business Rule 1 Each relic must be periodically verified o Constraint 1.1 Before having the next verification, one must wait for at least 6 months and no more than 24 months. o Constraint 1.2 A verification can be performed only if the relic is available and its verification timeout has expired. Business Rule 2 Relics can be lent to other museums. o Constraint 2.1 A relic can be lent only if available A couple of pre and post conditions are specified for the verify operation. In particular, the pre-condition verifies constraint 1.2, whereas the post-condition forces a new state for the relicstate attribute. In order to implement all the previous business

Supporting Tools for Designing-By-Contract in Component based Applications 9 rules and constraints, further conditions have been formalized. Indeed, a guard condition, which executes the verify operation any time the executing condition gets true, has been inserted in order to implement the business rule 1. Rule 2 affects the lend method, which can be executed only if the relic is available. Moreover, the lend operation must set the relic state to lending. Similar constraints must hold for restore and take_back operations. In addition, an invariant constraint has been set over the next_verification attribute in order to assure correct updates. After having completed the modeling activity, CoCoMod generates the IDL model reported in figure 4 and the CDL model shown in figure 5. -- IDL model module CaseStudy struct Date short day; short month; long year; }; interface Relic attribute string name; attribute string type; attribute string style; attribute long age; }; interface CataloguingCard attribute long cardid; attribute string description; attribute string picture; attribute boolean toverify; attribute string relicstate; attribute long next_verification; attribute Date last_verification; }; void verify( ); void restore( ); void lend( ); void take_back( ); void show_card( ); interface Museum attribute string name; attribute string address; attribute string city; }; }; void plan_event( ); void add_relic( ); Figure 4 - IDL interfaces for the system components

10 Antonio Coronato, Antonio d Acierno, Diego D Ambrosio, and Giuseppe De Pietro -- CDL models package CaseStudy ; context CataloguingCard inv: (( self.next_verification >= 6) and (self.next_verification <= 24 )) context CataloguingCard guard: if ((self.toverify == true ) and ( self.relicstate == available )) then execute self.verify() endif context CataloguingCard::verify(): void pre: (( self.relicstate == available ) and ( self.toverify == true )) context CataloguingCard::verify(): void post: self.relicstate = verifying context CataloguingCard::restore(): void pre: self.relicstate == available context CataloguingCard::restore(): void post: self.relicstate = restoring context CataloguingCard::lend(): void pre: self.relicstate == available context CataloguingCard::lend(): void post: self.relicstate = lent context CataloguingCard::take_back(): void post: self.relicstate = available endpackage; Figure 5 Constraint model From now on, to keep simple the example, we focus on the CataloguingCard component only. Compiling IDL interfaces This activity produces preliminary skeletons of components. We decided to implement components for the Java CORBA ORB platform. The idlj compiler is launched from the CoCoMod tool itself. Generating components constraints After having produced regular component skeletons, from CoCoMod we lauched the CoCoGen post-processor tool, which modified the initial component skeletons in order to implement constraints.

Supporting Tools for Designing-By-Contract in Component based Applications 11 Figure 6 shows the resulting CataloguingCard component skeleton. Source code is added accordingly with specific development patterns. All software lines added to the original skeleton are shown as bold lines in the figure. However, to keep simple the figure, we reported only few pieces of the component skeleton. Such a skeleton is now ready to be filled up with the business logic. This activity must be manually performed by programmers, who, however, do not have to care anymore about the implementation of constraints since it has been performed by the CoCoGen tool. package CaseStudy; public abstract class _CataloguingCardImplBase extends org.omg.corba.portable.objectimpl implements CaseStudy.CataloguingCard, org.omg.corba.portable.invokehandler switch ( method.intvalue ()) case 11: // CaseStudy/CataloguingCard/_set_next_verification int newnext_verification = in.read_long (); if ( ( newnext_verification >= 6) & ( newnext_verification <= 24 ) ) this.next_verification (newnext_verification); out = $rh.createreply(); } else throw new org.omg.corba.unknown( operation impossible ); break; } case 14: // CaseStudy/CataloguingCard/verify if (( this.relicstate ().equals ( available ) ) & (this.toverify ()==true)) this.verify(); this.relicstate ( verifying ); out = $rh.createreply(); } else throw new org.omg.corba.unknown( operation impossible ); break; } Figure 6 Enhanced component skeleton 5. Conclusions Constraints can no more be neglected while modeling and building component applications. We can also state that current components skeletons fidelity is quite low. The possibility of having automatic tools able to produce component skeletons with an higher degree of fidelity would have valuable effects in terms of development

12 Antonio Coronato, Antonio d Acierno, Diego D Ambrosio, and Giuseppe De Pietro time, development costs, software correctness, and so on. One way to improve the component skeleton fidelity is given by automatically implementing component constraints. In this paper we proposed and integrated environment composed by two tools, CoCoGen and CoCOMod. CoCoGen is a tool for generating constraints-related code into component skeletons; for such an aim, we formalized implementation patterns for invariants, pre-conditions, post conditions and guards. Our tool has been integrated in an UML compliant visual environment (CoCoMod) that we built to enable designers to visually define components interfaces and constraints, and to generate (for two major CORBA platforms) skeletons that already implement constraints. Regarding our work in progress, some enhancements are being considered. First, we are extending CoCoMod with a graphic metaphor for modeling constraints, so that OCL will become an internal language and will no longer directly be used by software architects and developers. We are also considering other CORBA platforms together with the possibility of extending CoCoGen to other middleware platforms, such as RMI or SOAP. References [1] G. T. Heineman and W. T. Councill, Component-Based Softwar Engineering, Addison- Wesley publishing, 2001. [2] R. G. Ross, The Business Rule Book, Business Rule Solutions, 2 nd Ed., 1997. [3] J. Warmer and A. Kleppe, The Object Constraint Language: Precise Modeling with UML, Addison-Wesley publishing, 1999. [4] Hans-Erik Eriksson and Magnus Penker, UML toolkit, Wiley publishing. [5] B. Meyer, Object Oriented Construction, Englewood Cliffs, NJ: Prentice-Hall, 1988. [6] J. Cheesman and J. Daniels, UML Components A Simple Process for Specifying Component-Based Software, Addison-Wesley, 2003 [7] D.F. D Souza and A.C. Wills, Objects, Components, and Frameworks with UML: The Catalysis Approach, Addison-Wesley, 1999 [8] Sun Microsystems, CORBA Technology and the Java2 Platform, Standard Edition, available at http://java.sun.com/j2se/1.4.2/docs/guide/corba/index.html [9] http://www.cs.wustl.edu/~schmidt/tao.html [10] ORBIX 2000 Tutorial, available at http://www.iona.com/docs. [11] ISO/IEC 14750 standard. [12] N. Medidovic, D. S. Rosenblum, D. F. Redmiles, and J. E. Robbins, Modeling Software Architectures in the Unified Modeling Language, ACM Transactions on Software Engineering and Methodology, Vol 1, N. 1, January 2002, Pages 2-57. [13] B. Meyer, Applying Design by contract, IEEE Computer, October 1992, Pages 40-51. [14] D. S. Rosenblum, A Practical Approach to Programming with Assertion, IEEE transactions on Software Engineering, Vol. 21. No. 1, January 1995, Pages 19-31.

Supporting Tools for Designing-By-Contract in Component based Applications 13 [15] J. M. Jézéquel and B. Meyer, Design by contract: The Lessons of Ariane, IEEE Computer, January 1997. [16] R. C. Holt and J. R. Cordy, The Turing Programming Language, Communication of ACM, Vol. 31, No. 12, December 1988. [17] A. Coronato, M. Cinquegrani, and G. De Pietro, Adding Business Rules and Constraints in Component Based Applications, in proc. of the 2002 International Symposium on Distributed Objects and Applications (DOA 2002), Irvine, California, USA - LNCS 2519. [18] L. C. Briand, Y. Labiche, H. Sun, Investigating the use of analysis contracts to support fault isolation in object oriented code ACM SIGSOFT Software Engineering Notes, Proceedings of the international symposium on Software testing and analysis, Volume 27 Issue 4. [19] E. Cariu, A. Beugnard, and J. M. Jezequel, An Architecture and a Process for Implementing Distributed Collaborations, in the proc. of the 6 th Int. Enterprise Distributed Object Computing conference (EDOC 02), IEEE Computer Society Press. [20] R. Kramer, icontract the Java Design by Contract tool, in proc. of International Conference of Object Oriented Language and Systems (TOOLS 26, USA 98), IEEE Computer Society Press.